5.7
CVE-2025-55003 - OpenBao Login MFA Bypasses Rate Limiting and TOTP Token Reuse
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password (TOTP). Due to normaβ¦
6.5
CVE-2025-55001 - OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao allowed the assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When β¦
6.5
CVE-2025-55000 - OpenBao TOTP Secrets Engine Enables Code Reuse
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected noβ¦
3.7
CVE-2025-54999 - OpenBao: Timing Side-Channel in Userpass Auth Method
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, when using OpenBao's userpass auth method, user enumeration was possible due to timing difference between non-existent users and β¦
5.3
CVE-2025-54998 - OpenBao Userpass and LDAP User Lockout Bypass
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by difβ¦
9.1
CVE-2025-54997 - OpenBao: Privileged Operator May Execute Code on the Underlying Host
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit privileged API operators from executing system code or making network connections. Howevβ¦
7.2
CVE-2025-54996 - OpenBao Root Namespace Operator May Elevate Token Privileges
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, accounts with access to highly-privileged identity entity systems in root namespaces were able to increase their scope directly to thβ¦
8.7
CVE-2025-54888 - @fedify/fedify: Improper Authentication and Incorrect Authorization
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. In versions below 1.3.20, 1.4.0-dev.585 through 1.4.12, 1.5.0-dev.636 through 1.5.4, 1.6.0-dev.754 through 1.6.7, 1.7.0-pr.251.885 through 1.7.8 and 1.8.0-dev.909 through 1.8.4, an authentication bypass vulnerβ¦
5.2
CVE-2025-54417 - Craft contains a theoretical bypass for CVE-2025-23209
Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: "Craft CMS has a potential RCE with a compromised security key". To exploit this vulnerability, the project must meet these requiremenβ¦
5.3
CVE-2025-55152 - oak: ReDoS in x-forwarded-proto and x-forwarded-for headers
oak is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. In versions 17.1.5 and below, it's possible to significantly slow down an oak server with specially crafted values of the x-forwarded-proto or x-forwarded-for headers.